Mixes Mixes - state of the art Enables the user to communicate - PowerPoint PPT Presentation

Mixes

Mixes - state of the art • Enables the user to communicate with each other without identifying each other in general • If a mix-mediated system is used to transmit messages, the communicating parties cannot be correlated by anybody who observes the NW and /or even corrupts some of the mixes used.

Mixes and their attacking models • What is Mix ? is a network node with cryptographic facilities that hides the relations between communicating users . • Functionality of Mix: � Mix changes the appearance of the message by using a suitable cryptosystem � Non-correlation by message length can be achieved if all messages have the same length initially and a length-preserving scheme is used for the cryptographic operations � Time correlation is avoided as the mix collects all messages in its buffer and records them before they are forwarded

Functionality of Mix � The buffering allows retention of a set of messages in the Mix, whose I/O sequence is changed by reordering This way, no correlation of the incoming and the forwarded messages of a mix is possible � Buffering modes are ‘batch mode’,’ pool mode’ in the former all messages are processed at once after the buffer is filled. In the latter, one message is selected from a full buffer after a further message has been arrived .

Functionality of Mix

Functionality of Mix • For sending a message N through the mixes: 1. Alice must prepare her message. 2. Encrypting the message with the public key c i of the mix 3. The next envelop by the second mix 4. This is done by decrypting them with their private keys, hence each mix (funny mix-men) can only open a distinct envelop that contains its personal address 5. Bob receives the message ⇒ no body can relate Alice and Bob as long as there are transferred sufficiently many other letters and not all mix/men cooperate as attackers.

Functionality of Mix • Alice encodes a message N by successively encrypting N i + 1 plus some random bits r i + 1 with the public key c i of each mix M i (starting with the last one) • N i is sent to M i which is addressed by A i . • Only M i is able to further process N i because of its knowledge of the secret key belonging to c i therefore it can extract A i + 1 and forward N i + 1 • The last mix of the chain gets the address A m + 1 of the recipient, Bob, to whom the message N is intended and forwarded it, it may still be encrypted for Bob, but this is independent of the mix protocol

Example of the mix functionality : C 1 ( r 4 ,c 2 (r 1 ,N x )) C 1 ( r 5 ,c 2 (r 2 ,N y )) C1( r6,c2(r3,Nz)) Mix 1 C 2 ( r 3 , N z ) C 2 ( r 1 , N x ) C 2 ( r 2 , N y ) Mix 2 N y N z N x

Example of the mix functionality : Mix 1 • buffering of incoming messages • ignoring message replay • Recoding messages d i (c i (r i ,N i ))=r i ,N i • Ignoring r i and forwarding N i • Reordering messages

Example of the mix functionality : • Each which is put around the original message must contain random bits (named r i +1)in order to prevent bridging a trustworthy • otherwise an eavesdropper C i (A i +1,r i +1 , N i +1) Mix i could easily correlate messages A i +1,N i +1 because of the deterministic nature of a mix

How to connect mixes ? • Mixes must be developed and operated by independent users, otherwise an attacker who controls one mix would be able to control all • It is advisable to diversify information and system components locally, that gives an attacker a less opportunities to attack the system • The existence communication network N cs and an anonymity network N as is assumed

How to connect mixes ? • For N as the following assumptions are made: at least one mix M i of the mix chain , MC k the message passes must be trustworthy . • This may be achieved by organizationally dividing the responsibilities (i.e. different providers) • This means :PM i ∀ ∃ ∈ ∧ ≠ ⇒ ≠ k . i , j .( Mi , Mj MC i j ) ( PM PM ) k i j

How to connect mixes ? • Whereby a mix chain MC comprises m mixes ≥ ( m 1 ) with ⊕ being the concatenation of all mixes used .. Hence : m ∀ ∈ ∧ = ⊕ k . MC N MC M k AS k i = i 1 • a mix chain that is used persistently in the same order is called cascade (static order) • Mixes can be connected as a mix cascade or as open mix sequence

Preparing the message • Messages can be prepared for sender, recipient anonymity, and combined. • Sender anonymity : � The following formula introduced the general scheme for sender anonymity, which is using a direct coding scheme = N : N + m 1 i = = ( m ,......., 1 ) N : C ( A , r , N ) + + + i i i 1 i 1 i 1

Preparing the message • Recipient anonymity: � Bob first creates an anonymous return address (RA) according to the sender anonymity scheme � He transmits it to Alice and following its receipt she can send her message N using RA to encrypt her message RA = : R 1 B A = = = N 1 : RA , msg ( R . I R , k ( N )) 1 1 1 0

Preparing the message � The scheme is called indirect since bob has to deliver the secret first in order to receive a message anonymously � This also involves some additional calculation steps as each mix has to encrypt the sender's message with the symmetric key it finds after decrypting the header of RA = R : e + m 1 i = ( m ,......, 1 ) = R : c ( k , A , R ) + + i i i i 1 i 1 Where e is a flag that only B (index m+1) can recognize

Preparing the message • R i contains all necessary information for the mix the keys K i represent symmetric keys that the mixes have to apply if somebody uses RA(:=R 1 ) in order to send a message to B • If A wants to send a message to N to B , she uses R 1 and sends her information I 1 to the first mix • I 1 contains the message N • Thus she sends N 1 =R 1 ,I 1 to the first mix according to the following formula:

Preparing the message N = R I With i i i = I k ( N ) 1 0 = = + I k ( I )......( i 2 ,....., m 1 ) − − i i 1 i 1 • the first mix decrypts R 1 with its private key d 1 and uses k 1 for the further encrypting of I 1 =K 0 (N) = e , I e , k (...( k ( k ( N )))...) • the recipient gets therefore + m 1 m 1 0 And retrieve N because of his knowledge about e and all k i

Preparing the message • Combining sender and recipient anonymity: � If both schemes are combined, there must exist a selected network node (N) relating the both anonymity schemes

Length preserving schemes • Avoid correlations by length. they are indirect as well. to obtain the same size of all message blocks, random bits are added to each message • Every message has a fixed length of b blocks that each contain an anonymous RA, random bits and the actual message the anonymous RA is set out as follows : [ ] = R : e + m 1 [ ] = = R : c ( k , A ) , k ( R ).......( i m ,...., 1 ) + + i i i i 1 i i 1

Length preserving schemes • [] symbolize the boundary of the block .depending on the anonymity scheme wanted, the application of K i in the following refers to either encryption or decryption. the appropriate operation is length preserving . • In case of sender anonymity A generates RA and prepares her message N by successively encrypting it with the keys K i , which are also included in R i for each mix subsequently she sends N 1 to the first mix = = N H I with...H R 1 1 1 1 1 = I k (k (....k (c (N))....)) + 1 1 2 m m 1

Length preserving schemes • H 1 :the header representing the anonymous RA • I 1 is the contents of the message • By splitting the message this way, the block length b is maintained constant. every time R i gets shorter, random bits are added • In case of recipient anonymity, the sender does not know the symmetric keys that the mixes have to use. the sender knows only k 0 as the key to encrypt his message for the recipient thus the sender builds his message N 1 according to the following formula:

Length preserving schemes N = H I = with H R 1 1 1 1 1 = I k ( N ) 1 0 Handling the information (k 0 ,A 1 ,R 1 ) from the RA selected . Each mix M i builds the message N i+1 for the following mix using the following scheme N = with = = + I k ( I )......... ( i 2 ,....., m 1 ) H I − − i i 1 i 1 i i i

The attacking model Definition : attacking model is a model that describes the strength of the attacker i.e : � Which parts of the system are accessible and /or can be manipulated by the attacker in which way and � Which computational capacities are available to him

The attacking model Definition :The attacking model for mixes : � Is an attacking model which fulfills the following conditions : � An attacker can tap all lines :he can read all inputs and outputs of all mixes and user stations � m-1 of m mixes used can be corrupted :all information of the mix is known to the attacker or can even be manipulated by him � There is no protection against a global attacker :if he can control n-1 of n users of the network, there is no chance to protect the n-th user